PRESENTATION ABSTRACT:

The importance of software security and integrity of common embedded devices is still often overlooked by many. Compromising the important part of a network (modems, routers/switches, etc.) yields a unique and powerful vector for both eavesdropping and injection of packets. This talk will cover the main aspects of a typical DSL modem and the risks that emerge from the ways ISP’s are trying to manage and support their customers.

Expect an in-depth explanation of vulnerabilities we found and were able to exploit successfully and reliably from both the local and remote sides without requiring any user interaction.

The talk can be broken down into the following big parts:

* Introduction to DSL modems and why we should care about them
* Identifying local and remote vulnerabilities
* Responsible disclosure of these vulnerabilities
* Debugging on (hostile) embedded devices
* Reliably exploiting remote pre-auth vulnerabilities
* Building an advanced trojan for MIPS/Linux

This talk will start by covering a quick explanation of what a DSL modem is capable of and why we should care about them. Subsequently, there will be an introduction to various methods of managing these DSL modems locally (for endusers), and remotely (for ISP’s).

Next up, there will be a description of the process we followed to identify a basic local command injection vulnerability in order to pop a shell on the device.

After warming up a bit with this basic command injection vulnerability there will be an explanation of how a remote (WAN) vulnerability was identified and successfully and reliably exploited. This includes detailed explanations on exploiting memory corruption bugs and doing return oriented programming on MIPS. To take a break from all the technical stuff we’ll briefly cover responsible disclosure and our experience with disclosing these vulnerabilities to the biggest Dutch Telco/ISP in order to mitigate a lot of (potential) damage and not end up in jail.

To make things more interesting beyond popping a simple shell, we will explain how we developed a somewhat advanced trojan/RAT for these limited devices that is capable of:

Last but not least, we will end this talk with a nice exclusive demo of the trojan and exploits and try to leave some time for Q&A.

ABOUT PETER GEISSLER (@bl4sty)

Independent security researcher/programmer and avid CTF Player. Known for facilitating code execution on Nintendo Wii and other game console related platforms. Member of fail0verflow and also .NL team member of the Hack In The Box CTF organizing crew.